On Fri, Oct 07, 2016 at 09:30:35AM -0400, Rob Crittenden wrote: > Alessandro De Maria wrote: > > Hello, > > > > I am running the following command to create a certificate for etcd > > > > ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", > > "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D", > > "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz" > > > > ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our > > request, giving up: 2100 (RPC failed at server. Insufficient > > access: Subject alt name type IP Address is forbidden). > > > > > > > > I believe FreeIPA does not currently support IPs as the SAN of a > > certificate. > > > > Is this still the case? is there a workaroud? > > Still the case (and not likely to change AFAIK) and the only workaround is > in code. > There have occasionally been discussions about this. It might be possible in the future, if we implement an extensible cert request authorisation mechanism. Won't happen anytime soon, though.
> rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project